We have a client that calls a method on a stateless session bean to
act on other beans through local interfaces in a single (required) transaction
We wrote a SecurityProxy that does instance-based per-method authorization,
using our own fine grained permissions which are set for the user in the
database. This user does a JAAS login using Client and Database login
modules, so in SecurityProxy invoke() we can get his Principal from the
EJBContext and we can look up his permissions in the database based on
the name of that Principal.
But we don't want to do this database permissions lookup on every method invocation,
so we cache the set of permissions for that user in ThreadLocal the first time
our SecurityProxy does an invoke(), and we clear it out when the
transaction finishes (based on a Synchronization).
Is it legitimate to assume we will have the same thread through multiple
calls to local bean method invocations throughout one transaction. It
seems to work, but are we just lucky?
Thread locals work as long as there's no thread pool getting into the mix, which may break it.